Re: detecting network crowd surges



Could be botnets, zombies, malware, .etc. We're observing
surges
on port 80 & 443 as well. For those, the threshold needs to
be a
bit higher than non-web stuff because by chance, you'll get
a certain
percentage of people happening to go to MySpace, Google,
CNN, .etc.

Also, if one were to send out an SSH worm, then SSH could be
an
ideal communication vector.

The "common" way to control botnets seems to be IRC channels
and
AIM.

Ron

I wonder, though, is this how real botnets are controlled?

Surely it would be fair easier, and less obtrusive, to
control your botnet via a updated http site. like
http://<mikeiscool>/instructions.txt. Every day the bots
would log on and receive their latest orders. Makes sense
to hide in http rather then risk a protocol that might be
blocked, doesn't it?

-- mic

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------